- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- using greater than comparison on a property is not...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
using greater than comparison on a property is not working
I am trying to filter my results on a property that is greater than a certain value and it is not returning any results. If I do an equals to comparison it works. Below is my filter criteria and the property outline.
Query:
index="lab" source="*-test" | eval isGood=if('line.message.space-document.elements{}.y'>="1664","true","false") | where isGood="true" | stats count
Below is the format of the event i'm trying to capture:
line: { [-]
message: { [-]
space-document: { [-]
elements: [ [-]
{ [-]
x: 38
y: 1664
}
{ [-]
id: ac5q3ghn
x: 38
y: 708
}
]
}
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw ="{\"line\": { \"message\": { \"space-document\": { \"elements\": [ { \"x\": 38, \"y\": 1664 }, { \"id\": \"ac5q3ghn\", \"x\": 38, \"y\": 708 } ] } } } }"
| spath
for this result, y is multivalue.
| makeresults
| eval _raw ="{\"line\": { \"message\": { \"space-document\": { \"elements\": [ { \"x\": 38, \"y\": 1664 }, { \"id\": \"ac5q3ghn\", \"x\": 38, \"y\": 708 } ] } } } }"
| spath
| eval y='line.message.space-document.elements{}.y'
| eval count = mvcount(mvfilter(y>=1664))
| eventstats sum(count) as Total
If y is counted, it will look like this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
index="lab" source="*-test" |rex field=_raw "y:(?<y>.*)"|eval isGood=if(y>=1664,"true","false")|..rest of your code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the suggestion, but it didn't seem to change the results...however not sure if I coded it correctly:
index="lab" source="-test" | rex field=_raw "y:(?.)" | eval isGood=if(y=1664,"true","false") | where isGood="true" | stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @47024
Remove all code after the rex, are you able to see the values of 'y' returned by the rex? index="lab" source="*-test" |rex field=_raw "y:(?<y>.*)|table y"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This statement returns 2 :
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y="1664" | stats count
This statement returns 0:
index="lab" source="*-test" | eval y='line.message.space-document.design.elements{}.y' | where y>="1664" | stats count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I don't see any results other than just 'y'. For context...I can use > comparison for properties out of one of the other groups...but the elements group is where it is having the problem. I was curious if it was because there can be 1-x elements per event?
https://docs.google.com/drawings/d/16qy44bgdiODiJTFmS7qqicVdvsOYtax57VZ00QKaFks/edit?usp=sharing
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
